openstack
/
tripleo-heat-templates
Code Issues Proposed changes

Merge "Fix privilege escalation" into stable/train

This commit is contained in:
Zuul 2020-07-14 07:25:10 +00:00 committed by Gerrit Code Review
parent a6090384b1 7168701091
commit 77a6593749
9 changed files with 44 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common/container_startup_configs_tasks.yaml
View File

@ -3,6 +3,7 @@
# TODO(emilien) convert this whole task in a module # TODO(emilien) convert this whole task in a module
# https://bugs.launchpad.net/tripleo/+bug/1884577 # https://bugs.launchpad.net/tripleo/+bug/1884577
- name: "Remove old {{ item.0 }} container startup configs" - name: "Remove old {{ item.0 }} container startup configs"
become: true
file: file:
path: "/var/lib/tripleo-config/container-startup-config/{{ item.0 }}" path: "/var/lib/tripleo-config/container-startup-config/{{ item.0 }}"
state: absent state: absent
@ -15,6 +16,7 @@
setype: svirt_sandbox_file_t setype: svirt_sandbox_file_t
- name: "Creating container startup configs for {{ item.0 }}" - name: "Creating container startup configs for {{ item.0 }}"
become: true
copy: copy:
content: "{{ startup_data.value | to_nice_json }}" content: "{{ startup_data.value | to_nice_json }}"
dest: "/var/lib/tripleo-config/container-startup-config/{{ item.0 }}/{{ startup_data.key }}.json" dest: "/var/lib/tripleo-config/container-startup-config/{{ item.0 }}/{{ startup_data.key }}.json"

1
common/deploy-steps-playbooks-common.yaml
View File

@ -33,6 +33,7 @@
- hosts: "{{ deploy_target_host }}" - hosts: "{{ deploy_target_host }}"
name: Ensure /var/lib/config-data context name: Ensure /var/lib/config-data context
become: true
gather_facts: false gather_facts: false
any_errors_fatal: yes any_errors_fatal: yes
tasks: tasks:

3
common/deploy-steps-tasks-step-0.j2.yaml
View File

@ -5,8 +5,10 @@
msg: Use --start-at-task 'Deploy step tasks for step 0' to resume from this task msg: Use --start-at-task 'Deploy step tasks for step 0' to resume from this task
when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'" when: "tripleo_minor_update is not defined or tripleo_minor_update != 'true'"
- name: Ensure /var/log/journal exists - name: Ensure /var/log/journal exists
become: true
file: path=/var/log/journal state=directory mode=0750 owner=root group=root setype=var_log_t file: path=/var/log/journal state=directory mode=0750 owner=root group=root setype=var_log_t
- name: Create /var/lib/container-puppet - name: Create /var/lib/container-puppet
become: true
no_log: True no_log: True
file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true file: path=/var/lib/container-puppet state=directory setype=container_file_t selevel=s0 recurse=true
- name: Write container-puppet.py if Paunch is enabled - name: Write container-puppet.py if Paunch is enabled
@ -22,6 +24,7 @@
when: when:
- not (enable_paunch|bool) - not (enable_paunch|bool)
- name: Write container-puppet.sh - name: Write container-puppet.sh
become: true
no_log: True no_log: True
copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t copy: src=container_puppet_script.yaml dest=/var/lib/container-puppet/container-puppet.sh force=yes mode=0755 setype=container_file_t

23
common/deploy-steps-tasks-step-1.yaml
View File

@ -1,6 +1,7 @@
- name: Write config data at the start of step 1 - name: Write config data at the start of step 1
block: block:
- name: Create and ensure setype for /var/log/containers directory - name: Create and ensure setype for /var/log/containers directory
become: true
file: file:
path: /var/log/containers path: /var/log/containers
state: directory state: directory
@ -10,6 +11,7 @@
tags: tags:
- host_config - host_config
- name: Create ContainerLogStdoutPath directory - name: Create ContainerLogStdoutPath directory
become: true
file: file:
path: "{{ container_log_stdout_path }}" path: "{{ container_log_stdout_path }}"
state: directory state: directory
@ -17,6 +19,7 @@
tags: tags:
- host_config - host_config
- name: Create /var/lib/tripleo-config directory - name: Create /var/lib/tripleo-config directory
become: true
file: file:
path: /var/lib/tripleo-config path: /var/lib/tripleo-config
state: directory state: directory
@ -31,6 +34,7 @@
- container_startup_configs - container_startup_configs
- name: Delete existing /var/lib/tripleo-config/check-mode directory for check mode - name: Delete existing /var/lib/tripleo-config/check-mode directory for check mode
become: true
file: file:
path: /var/lib/tripleo-config/check-mode path: /var/lib/tripleo-config/check-mode
state: absent state: absent
@ -45,6 +49,7 @@
check_mode: no check_mode: no
- name: Create /var/lib/tripleo-config/check-mode directory for check mode - name: Create /var/lib/tripleo-config/check-mode directory for check mode
become: true
file: file:
path: /var/lib/tripleo-config/check-mode path: /var/lib/tripleo-config/check-mode
state: directory state: directory
@ -63,6 +68,7 @@
# Puppet manifest for baremetal host configuration # Puppet manifest for baremetal host configuration
- name: Write the puppet step_config manifest - name: Write the puppet step_config manifest
become: true
no_log: True no_log: True
copy: copy:
content: "{{ lookup('file', tripleo_role_name + '/step_config.pp', errors='ignore') | default('', True) }}" content: "{{ lookup('file', tripleo_role_name + '/step_config.pp', errors='ignore') | default('', True) }}"
@ -99,6 +105,7 @@
# Puppet Containers Config directory used to generate container configs # Puppet Containers Config directory used to generate container configs
- name: Create /var/lib/container-puppet - name: Create /var/lib/container-puppet
become: true
file: file:
path: /var/lib/container-puppet path: /var/lib/container-puppet
state: directory state: directory
@ -111,6 +118,7 @@
# For backward compatibility in Stein, so our operators have time # For backward compatibility in Stein, so our operators have time
# to learn about the new directory. # to learn about the new directory.
- name: Create /var/lib/docker-puppet for backward compatibility - name: Create /var/lib/docker-puppet for backward compatibility
become: true
file: file:
path: /var/lib/docker-puppet path: /var/lib/docker-puppet
state: directory state: directory
@ -119,6 +127,7 @@
- container_config_tasks - container_config_tasks
- name: Deprecation file about /var/lib/docker-puppet - name: Deprecation file about /var/lib/docker-puppet
become: true
copy: copy:
dest: /var/lib/docker-puppet/readme.txt dest: /var/lib/docker-puppet/readme.txt
content: | content: |
@ -127,6 +136,7 @@
ignore_errors: true ignore_errors: true
- name: Delete existing /var/lib/container-puppet/check-mode for check mode - name: Delete existing /var/lib/container-puppet/check-mode for check mode
become: true
file: file:
path: /var/lib/container-puppet/check-mode path: /var/lib/container-puppet/check-mode
state: absent state: absent
@ -137,6 +147,7 @@
- ansible_check_mode|bool - ansible_check_mode|bool
- name: Create /var/lib/container-puppet/check-mode for check mode - name: Create /var/lib/container-puppet/check-mode for check mode
become: true
file: file:
path: /var/lib/container-puppet/check-mode path: /var/lib/container-puppet/check-mode
state: directory state: directory
@ -149,6 +160,7 @@
- ansible_check_mode|bool - ansible_check_mode|bool
- name: Write container-puppet.json file - name: Write container-puppet.json file
become: true
no_log: True no_log: True
copy: copy:
content: "{{ lookup('file', tripleo_role_name + '/puppet_config.yaml', errors='ignore') | default([], True) | from_yaml | to_nice_json }}" content: "{{ lookup('file', tripleo_role_name + '/puppet_config.yaml', errors='ignore') | default([], True) | from_yaml | to_nice_json }}"
@ -184,6 +196,7 @@
- container_config - container_config
- name: Create /var/lib/container-config-scripts - name: Create /var/lib/container-config-scripts
become: true
file: file:
path: /var/lib/container-config-scripts path: /var/lib/container-config-scripts
state: directory state: directory
@ -195,6 +208,7 @@
# /var/lib/container-startup-configs.json is removed as we now write # /var/lib/container-startup-configs.json is removed as we now write
# per-step files instead # per-step files instead
- name: Clean old /var/lib/container-startup-configs.json file - name: Clean old /var/lib/container-startup-configs.json file
become: true
file: file:
path: /var/lib/container-startup-configs.json path: /var/lib/container-startup-configs.json
state: absent state: absent
@ -203,6 +217,7 @@
# For legacy, can be removed in Train cycle # For legacy, can be removed in Train cycle
- name: Clean old /var/lib/docker-container-startup-configs.json file - name: Clean old /var/lib/docker-container-startup-configs.json file
become: true
file: file:
path: /var/lib/docker-container-startup-configs.json path: /var/lib/docker-container-startup-configs.json
state: absent state: absent
@ -212,6 +227,7 @@
- name: Write container config scripts - name: Write container config scripts
no_log: True no_log: True
become: true
copy: copy:
content: "{{ item[1].content }}" content: "{{ item[1].content }}"
dest: "/var/lib/container-config-scripts/{{ item[0] }}" dest: "/var/lib/container-config-scripts/{{ item[0] }}"
@ -250,6 +266,7 @@
# /var/lib/tripleo-config/container-startup-config/step_X/<container_name>.json # /var/lib/tripleo-config/container-startup-config/step_X/<container_name>.json
# Can be removed in V cycle # Can be removed in V cycle
- name: Write /var/lib/tripleo-config/container-startup-config-readme.txt - name: Write /var/lib/tripleo-config/container-startup-config-readme.txt
become: true
no_log: True no_log: True
copy: copy:
content: "Container startup configs moved to /var/lib/tripleo-config/container-startup-config" content: "Container startup configs moved to /var/lib/tripleo-config/container-startup-config"
@ -263,6 +280,7 @@
# However, container_puppet.py won't create their hashed version if # However, container_puppet.py won't create their hashed version if
# config changed. # config changed.
- name: Write per-step container startup configs for backward compatibility - name: Write per-step container startup configs for backward compatibility
become: true
no_log: True no_log: True
copy: copy:
content: "{{ item[1] | to_nice_json }}" content: "{{ item[1] | to_nice_json }}"
@ -289,6 +307,7 @@
- container_startup_configs - container_startup_configs
- name: Create /var/lib/kolla/config_files directory - name: Create /var/lib/kolla/config_files directory
become: true
file: file:
path: /var/lib/kolla/config_files path: /var/lib/kolla/config_files
state: directory state: directory
@ -299,6 +318,7 @@
- container_startup_configs - container_startup_configs
- name: Create /var/lib/config-data directory - name: Create /var/lib/config-data directory
become: true
file: file:
path: /var/lib/config-data path: /var/lib/config-data
state: directory state: directory
@ -306,6 +326,7 @@
selevel: s0 selevel: s0
- name: Write kolla config json files - name: Write kolla config json files
become: true
no_log: True no_log: True
copy: copy:
content: "{{ item[1] | to_nice_json }}" content: "{{ item[1] | to_nice_json }}"
@ -353,6 +374,7 @@
- container_config - container_config
- name: Create /etc/puppet/check-mode/hieradata directory for check mode - name: Create /etc/puppet/check-mode/hieradata directory for check mode
become: true
file: file:
path: /etc/puppet/check-mode/hieradata path: /etc/puppet/check-mode/hieradata
state: directory state: directory
@ -368,6 +390,7 @@
- container_config - container_config
- name: Create puppet check-mode files if they don't exist for check mode - name: Create puppet check-mode files if they don't exist for check mode
become: true
shell: | shell: |
cp -a /etc/puppet/hiera.yaml /etc/puppet/check-mode/hiera.yaml cp -a /etc/puppet/hiera.yaml /etc/puppet/check-mode/hiera.yaml
cp -a /etc/puppet/hieradata/* /etc/puppet/check-mode/hieradata/ cp -a /etc/puppet/hieradata/* /etc/puppet/check-mode/hieradata/

4
common/deploy-steps-tasks.yaml
View File

@ -3,6 +3,7 @@
##################################################### #####################################################
- name: Write the config_step hieradata - name: Write the config_step hieradata
become: true
no_log: True no_log: True
copy: copy:
content: "{{ dict(step=step|int) | to_json }}" content: "{{ dict(step=step|int) | to_json }}"
@ -14,6 +15,7 @@
- host_config - host_config
- name: Run puppet host configuration for step {{ step }} - name: Run puppet host configuration for step {{ step }}
become: true
async: 3600 async: 3600
poll: 0 poll: 0
when: enable_puppet|bool when: enable_puppet|bool
@ -197,6 +199,7 @@
- name: Per step starting of the containers using tripleo-ansible - name: Per step starting of the containers using tripleo-ansible
when: not (enable_paunch|bool) when: not (enable_paunch|bool)
become: true
environment: environment:
TRIPLEO_MINOR_UPDATE: '{{ tripleo_minor_update | default(false) }}' TRIPLEO_MINOR_UPDATE: '{{ tripleo_minor_update | default(false) }}'
block: block:
@ -223,6 +226,7 @@
######################################################## ########################################################
- name: "Clean container_puppet_tasks for {{ansible_hostname | lower}} step {{step}}" - name: "Clean container_puppet_tasks for {{ansible_hostname | lower}} step {{step}}"
become: true
file: file:
path: /var/lib/container-puppet/container-puppet-tasks{{step}}.json path: /var/lib/container-puppet/container-puppet-tasks{{step}}.json
state: absent state: absent

7
common/deploy-steps.j2
View File

@ -437,6 +437,7 @@ outputs:
any_errors_fatal: yes any_errors_fatal: yes
tasks: tasks:
- name: Set selinux state - name: Set selinux state
become: true
selinux: selinux:
policy: targeted policy: targeted
state: SELINUX_MODE state: SELINUX_MODE
@ -476,6 +477,7 @@ outputs:
- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST - hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Overcloud deploy step tasks for step 0 name: Overcloud deploy step tasks for step 0
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes any_errors_fatal: yes
vars: vars:
@ -547,6 +549,7 @@ outputs:
- "{{ tripleo_role_name ~ '/NetworkConfig' }}" - "{{ tripleo_role_name ~ '/NetworkConfig' }}"
- name: NetworkConfig - name: NetworkConfig
become: true
block: block:
- name: Create /var/lib/tripleo-config/scripts directory - name: Create /var/lib/tripleo-config/scripts directory
file: file:
@ -635,6 +638,7 @@ outputs:
- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST - hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Host prep steps name: Host prep steps
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes any_errors_fatal: yes
vars: vars:
@ -700,6 +704,7 @@ outputs:
- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST - hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Overcloud deploy step tasks for {{step}} name: Overcloud deploy step tasks for {{step}}
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes any_errors_fatal: yes
# FIXME(shardy) - it would be nice to use strategy: free to # FIXME(shardy) - it would be nice to use strategy: free to
@ -781,6 +786,7 @@ outputs:
{%- endfor %} {%- endfor %}
- hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST - hosts: {{primary_role_name}}:DEPLOY_TARGET_HOST
name: Server Post Deployments name: Server Post Deployments
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes any_errors_fatal: yes
tasks: tasks:
@ -991,6 +997,7 @@ outputs:
{%- for step in range(0,upgrade_steps_max) %} {%- for step in range(0,upgrade_steps_max) %}
- hosts: DEPLOY_TARGET_HOST - hosts: DEPLOY_TARGET_HOST
name: Upgrade tasks for step {{step}} name: Upgrade tasks for step {{step}}
become: true
gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}" gather_facts: "{% raw %}{{ gather_facts | default(false) }}{% endraw %}"
any_errors_fatal: yes any_errors_fatal: yes
vars: vars:

2
common/generate-config-tasks.yaml
View File

@ -45,6 +45,7 @@
- name: Block for container-puppet tasks (generate config) during step {{ step }} with tripleo-ansible - name: Block for container-puppet tasks (generate config) during step {{ step }} with tripleo-ansible
when: when:
- not (enable_paunch|bool) - not (enable_paunch|bool)
become: true
tags: tags:
- container_config - container_config
block: block:
@ -83,6 +84,7 @@
tripleo_container_manage_valid_exit_code: [0, 2] tripleo_container_manage_valid_exit_code: [0, 2]
- name: Diff puppet-generated changes for check mode - name: Diff puppet-generated changes for check mode
become: true
shell: | shell: |
diff -ruN --no-dereference -q /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated diff -ruN --no-dereference -q /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated
diff -ruN --no-dereference /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated diff -ruN --no-dereference /var/lib/config-data/puppet-generated /var/lib/config-data/check-mode/puppet-generated

1
common/hiera-steps-tasks.yaml
View File

@ -5,6 +5,7 @@
include_role: include_role:
name: tripleo-hieradata name: tripleo-hieradata
- name: Hiera symlink - name: Hiera symlink
become: true
file: file:
src: /etc/puppet/hiera.yaml src: /etc/puppet/hiera.yaml
dest: /etc/hiera.yaml dest: /etc/hiera.yaml

3
deployment/logrotate/tmpwatch-install.yaml
View File

@ -36,9 +36,8 @@ outputs:
description: Role data for tmpwatch install description: Role data for tmpwatch install
value: value:
service_name: logrotate_tmpwatch service_name: logrotate_tmpwatch
deploy_steps_tasks: host_prep_tasks:
- name: install tmpwatch on the host - name: install tmpwatch on the host
when: step|int == 1
package: package:
name: tmpwatch name: tmpwatch
state: installed state: installed